Bug 7119 - Enable MyProxyCA to include a certificate chain of intermediate CA certificates with EECs Issued
: Enable MyProxyCA to include a certificate chain of intermediate CA certificat...
: MyProxy
: 5.2
: All All
: P3 enhancement
: ---
Assigned To:
  Show dependency treegraph
Reported: 2011-01-10 06:50 by
Modified: 2011-02-28 09:09 (History)



You need to log in before you can comment on or make changes to this bug.

Description From 2011-01-10 06:50:09
The associated CA with a given MyProxyCA may itself be an intermediate CA
issued from a root CA or further intermediate CA.  It would be a useful
addition to be able to configure the server so that these CA certificates were
returned in logon responses along with the new short term credential issued.  

This would simplify the configuration of services consuming the credential
since they would need only to keep a copy of the respective root CA
certificate.  In addition, tests with Java based services have shown that for a
given client certificate making a request over SSL, only the issuing
certificate is required to be present in the server's truststore.  This means
that for client certificates issued as part of a trust chain of CA
certificates, the verification process is not completed back to the root CA
unless the complete chain of intermediate certificates is passed by the client.
------- Comment #1 From 2011-01-11 17:43:31 -------
Hi Philip. Our plan is to add a myproxy-server.config option for specifying the
path to a file containing one or more intermediate CA certificates to be added
to the certificate chain for every CA GET response. Does that sound like it
will provide what you need? We'll update this bug when it's in CVS so you'll
have an opportunity to test before release.
------- Comment #2 From 2011-01-12 00:26:56 -------
That sounds great - thanks.

------- Comment #3 From 2011-01-12 17:02:34 -------
Implemented a myproxy-server.config certificate_issuer_subca_certfile option.
Mods in CVS.
------- Comment #4 From 2011-01-12 17:29:36 -------

A release candidate is available for testing here:

$ openssl sha1 < myproxy-5.3rc1.tar.gz 

When you get a chance, please give it a try and let us know how it works for

------- Comment #5 From 2011-01-19 02:59:26 -------
Thanks for getting this out so quickly.  I've not had a chance to try it out
but will look at it soon and let you know.

------- Comment #6 From 2011-02-28 09:09:28 -------
Included in MyProxy 5.3 released 17 Jan 2011.

Please re-open this bug if any changes are required.